XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Q and A 
  4.  / Security Problem
Register
11
ReCkage
Re: Security Problem

  • 2004/5/27 18:15

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


Actually the site is hosted on a shared server, so i cant watch the data. But I do have custom session off.

Is there a way to turn off PM totally.
12
tl
Re: Security Problem

  • 2004/5/27 18:30

  • tl

  • Friend of XOOPS

  • Posts: 999

  • Since: 2002/6/23


Quote:

ReCkage wrote:
Actually the site is hosted on a shared server, so i cant watch the data. But I do have custom session off.

Is there a way to turn off PM totally.


You would have to modify the User Menu template and remove inbox.

Then you can delete or rename two files, pmlite.php and viewpmsg.php, from the root directory.
13
m0nty
Re: Security Problem

  • 2004/5/27 18:40

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


u could remove the section dealing with the pmlite

ie..

in Xoops_root file userinfo.php

lines 135 - 139

if (is_object($xoopsUser)) {
$xoopsTpl->assign('user_pmlink', "<a href=\"javascript:openWithSelfMain('".XOOPS_URL."/pmlite.php?send2=1&to_userid=".$thisUser->getVar('uid')."', 'pmlite', 450, 380);\"><img src=\"".XOOPS_URL."/images/icons/pm.gif\" alt=\"".sprintf(_SENDPMTO,$thisUser->getVar('uname'))."\" /></a>");
} else {
$xoopsTpl->assign('user_pmlink', '');
}

comment out these lines or remove them completely and i think that should get rid of the link and button for sending a PM..

then edit modules/system/blocks/system_blocks.php

lines 158 & 159

$block['new_messages'] = $pm_handler->getCount($criteria);
$block['lang_inbox'] = _MB_SYSTEM_INBOX;

comment these lines out or remove them.. and that will get rid of the inbox link in the user menu..
14
ReCkage
Re: Security Problem

  • 2004/5/31 17:05

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


After more testing, we also found that if you enter your username and password wrong you get the page saying incorrect logon, but it brings you into the site as someone else. This problem seems to be getting larger.
15
ReCkage
Re: Security Problem

  • 2004/5/31 17:15

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


Some good news to report. This is not on the main site, but on our testing site, we implemented the mailuserhack in the hack downlaods, and the problem went away. So somewhere in the original Xoop core files root/modules/system/admin/mailform.php or mailusers.php there is a problem.
16
Panos
Re: Security Problem

  • 2004/5/31 17:28

  • Panos

  • Friend of XOOPS

  • Posts: 87

  • Since: 2003/3/20


I have never seen this happen myself, nor have I ever seen anyone else reporting such a problem.

This doesn't mean of course that you are not experiencing a problem of that nature, but I highly doubt that it has anything to do with the XOOPS core files.

If I were you, I would try re-producing the same 'behavior' on another server, configuration and so forth.

17
ReCkage
Re: Security Problem

  • 2004/6/1 0:22

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


Well it was tried on the same server, but different database and fresh install, problem happened. We do all our edit on a test site, and then move them to the main site. And this problem happened on the test site.

It could be as simple as a bad upload of the original site, but I would say this should be something to look into. Since it basically gave any user the ability to become someone and even become administrators. The only good thing was that it changed users so often a regular user never had a chance to mess with the admin panel, though it made for some interesting PMs since poeple thought they were themselves and would PM others but it would end up coming from another user. The hack fixed it, but this could be a very large security hole if its not as simple as a bad uploaded file.
18
ajaxbr
Re: Security Problem

  • 2004/6/1 1:29

  • ajaxbr

  • Quite a regular

  • Posts: 276

  • Since: 2003/10/25


Can you tell us how the client computers are organized? Like computers on a intranet, dial-up users, any significant LAN topology?
Once I got someone's else username in my login box at a Brazilian XOOPS site and that person happens to be a neighbour of mine.
Anyway, this got me curious about how XOOPS identifies users.
19
ReCkage
Re: Security Problem

  • 2004/6/1 2:14

  • ReCkage

  • Just popping in

  • Posts: 39

  • Since: 2004/5/24


At first we thought that also it must be something on the network. But we found that this happened within the school network, it happened at corporate networks on DSL connection, and cable connections. So we ruled out any network problems. From looking at the database we realized that everything is control by a group ID and user ID, but to have poeple moving from one to another we didnt see anything wrong with the database. What got us stump was if it was an isolated icident, why did it also happen on the test site.

here are the stats of the server.

Operating system Linux
Kernel version 2.4.20-24.9
Apache version 1.3.29 (Unix)
PERL version 5.8.1
PHP version 4.3.4
MySQL version 4.0.18-standard
20
JMorris
Re: Security Problem

  • 2004/6/1 3:37

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Have you tried to install the XOOPS files via shell? This tends to be the most reliable means of installing them.

Again, grasping at straws, but it's possible that the distro you downloaded could have been corrupt on the mirror or that the FTP software you are using may have altered a file. Try installing a fresh version via shell from a different mirror. and see if you can reproduce the error.

I agree that this is a serious issue, hence all possible avenues must be explored.

Also, what version of Linux? I run a bleeding edge distro of MEPIS (Debian based), and it's been known to "touch" files on occasion.
« 1 (2) 3 4 5 6 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

217 user(s) are online (147 user(s) are browsing Support Forums)

Members: 0

Guests: 217

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits